Miroslav Lachman
2017-Jan-06 15:36 UTC
VuXML entry for openssh - 10.3 sshd in base vulnerable
Miroslav Lachman wrote on 2017/01/03 14:11:> Security entries for base are in VuXML for some time so we are checking > it periodically. Now we have an alert for base sshd in 10.3-p14 and -15 > too. > > # pkg audit FreeBSD-10.3_15 > FreeBSD-10.3_15 is vulnerable: > openssh -- multiple vulnerabilities > CVE: CVE-2016-10010 > CVE: CVE-2016-10009 > WWW: > https://vuxml.FreeBSD.org/freebsd/2aedd15f-ca8b-11e6-a9a5-b499baebfeaf.html > > 1 problem(s) in the installed packages found. > > > But there is no advisory on > https://www.freebsd.org/security/advisories.html for this problem. > > Is it false alarm? Or did I missed something?3 days without reply... Please, can somebody from FreeBSD team clarify if sshd in base is vulnerable or not? Kind regards Miroslav Lachman
On 1/6/17 07:36, Miroslav Lachman wrote:> Miroslav Lachman wrote on 2017/01/03 14:11: >> Security entries for base are in VuXML for some time so we are checking >> it periodically. Now we have an alert for base sshd in 10.3-p14 and -15 >> too. >> >> # pkg audit FreeBSD-10.3_15 >> FreeBSD-10.3_15 is vulnerable: >> openssh -- multiple vulnerabilities >> CVE: CVE-2016-10010 >> CVE: CVE-2016-10009 >> WWW: >> https://vuxml.FreeBSD.org/freebsd/2aedd15f-ca8b-11e6-a9a5-b499baebfeaf.html >> >> >> 1 problem(s) in the installed packages found. >> >> >> But there is no advisory on >> https://www.freebsd.org/security/advisories.html for this problem. >> >> Is it false alarm? Or did I missed something? > > 3 days without reply... > > Please, can somebody from FreeBSD team clarify if sshd in base is > vulnerable or not?The default configuration is not affected by CVE-2016-10010 because privilege separation is enabled by default. Exploiting CVE-2016-10009 requires non-trivial control over both a SSH server and ability to write file on the system running ssh-agent(1). We plan to issue an advisory soon, but most of users do not need to be worried for the vulnerabilities as the sshd(8) vulnerability requires deliberately weaken the configuration, and it's hard to exploit the ssh-agent(1) vulnerability (if an attacker is able to exploit it, they already have substantial control and there would be much easier attacks than doing it over ssh-agent). Hope this helps. Cheers, -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20170109/421ebd49/attachment.sig>